Solved: Best Practice Two ISPs and BGP

brentgunn · ‎12-26-2014

Hello Experts.

I was wanting to hear opinions for the best way to setup two ISR4431's with two 2960x's and two ASA firewalls.

My current design is:

ISP1 router -> ISR4431-A ->{2960x pair} -> ASA-A

ISP2 router -> ISR4431-B ->{2960x pair} -> ASA-B

Currently using public BGP and HSRP on the inside with an SLA monitor to a public IP.

If HSRP is the best way to accomplish this, how do i solve these two problems or is there a better design? (The two 4431's are not connected to each other currently.)

-Least Cost routing (i guess that is what its called) - I want to visit a website that is located on ISP2's network (or close to it), but HSRP currently has ISP1 as active. If i go out ISP1 it may go around the country or 10 hops before it hit a site that is 4 hops away on the other ISP.

-Assymetric routing - i think that is where a reply comes in the non-active ISP - how do i prevent that.

I am really just looking for design advice about the best way to use this hardware to create as much redundancy as possible and best performance possible. If you could just share your opinion of "I would use ____" or give me a stamp of reassurance on the above design and any opinion on the two problems.

Thanks for the time!

Reza Sharifi · ‎12-26-2014

Hi,

If you are running BGP with the service provides, you need an IBGP link between the 2 ISR-4431 routers. If for example you want traffic to go out using sp-1 and come back using the same provider you need to us AS path prepending, so sp-2 sees a longer path to your network and so traffic goes out and comes back through the same provider. In this case you use sp-2 as backup link, if not you can be dealing with Asymmetric routing. In addition, for HSRP/VRRP to work both routers should be connecting to the set of 2960x switches. You can simply stack the 2960x switches so they logically look as one device. The same should go for the firewalls. They should connect to the switch stack.

HTH

View solution in original post

Reza Sharifi · ‎12-26-2014

Hi,

If you are running BGP with the service provides, you need an IBGP link between the 2 ISR-4431 routers. If for example you want traffic to go out using sp-1 and come back using the same provider you need to us AS path prepending, so sp-2 sees a longer path to your network and so traffic goes out and comes back through the same provider. In this case you use sp-2 as backup link, if not you can be dealing with Asymmetric routing. In addition, for HSRP/VRRP to work both routers should be connecting to the set of 2960x switches. You can simply stack the 2960x switches so they logically look as one device. The same should go for the firewalls. They should connect to the switch stack.

HTH

brentgunn · ‎12-28-2014

Reza,

Thanks for the time.

I will get to work on linking the two routers. I do have the two 2960x's bound together as one and the routers both connect to them so i think i am good on that side of the routers. Hopefully i will have success with the iBGP link and be all set.

Thanks again for your guidance!